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RISK MANAGEMENT POLICY 

1. OBJECTIVE OF THE RISK POLICY: 

The objective of the risk policy is to ensure that a strategic plan is developed 
that assist management to make informed decisions which will: 

■ Improve the municipality^ performance on decision making and 
planning; 

■ Promote a more innovative, less risk averse culture in which the taking 
of calculated risks in pursuit of opportunities to benefit the 
municipality is encourage; 

■ Provide a sound basis for integrated risk management and internal 
control a components of good corporate governance; 

■ Promote a reporting system which will facilitate risk reporting; and 

■ Promote an effective culture of risk assessment. 

The improvements and benefits which effective Risk Management should 
provide are: 

■ An increased likelihood of achieving the municipality^ aims, 
objectives and priorities; 

■ Prioritising the allocation of resources; 

■ Giving an early warning of potential problems; and 

■ Providing key officials with the skills to be confident risk takers. 

2. APPLICABLE LEGISLATIVE FRAMEWORK 

2.1. Accounting Officer 

Section 62(l)(c)(i) of the MEMA requires that: 

"(1) The accounting officer of a municipality is responsible for managing 
the financial administration of the municipality, and must for this 
purpose take all responsible steps to ensure- 

(c) that the municipality has and maintains effective, efficient and 
transparent systems - 

(i) of financial and risk management and internal control . " 

2.2, Management, Other Personnel, Chief Risk Officer, Risk Champions 

The extension of general responsibilities in terms of Section 78 of the MEMA 
to aU senior managers and other officials of municipalities implies that 
responsibility for risk management vests at aU levels of management and that 
it is not limited to only the accounting officer and internal audit. 
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2.3. Internal Auditors 

Section 165 (2) (a), (b)(iv) of the MFMA requires that: 

"(2) The internal audit unit of a municipality or municipal entity must - 

(a) prepare a risk based audit plan and an internal audit program 
for each financial year; 

(b) advise the accounting officer and report to the audit 
committee on the implementation on the internal audit plan 
and matters relating to: 

(iv) risk and risk management . " 

Section 2110- Risk Management of the International standards for the 
Professional Practice of Internal Auditing states: 

"The internal audit activity should assist the organisation by identifying and 
evaluating significant exposures to risk and contributing to the improvements 
of risk management and control systems. 

2110. Al- The internal audit activity should monitor and evaluate the 
effectiveness of the organisation's risk management system. 

21 10. A2 - The internal audit activity should evaluate risk exposures relating 
to the organisation's governance, operations, and information 
systems regarding the: 

• Reliability an integrity of financial and operational 
information; 

• Effectiveness and efficiency of operations; 

• Safeguarding of assets; 

• Compliance with laws, regulations, and contracts. 

2110. Cl - During consulting engagements, internal auditors should address 
risk consistent with the engagement's objectives and be alert to 
the existence of other significant risks. 

2110. C2 - Internal Auditors should incorporate knowledge of risks gained 
from consulting engagements into the process of identifying and 
evaluating significant risk exposures of the organisation." 

2.4, Audit Committee 

Section 166 (2) of the MFMA states: 

'f2) An audit committee is an independent advisory body which must - 

(a) advise the municipal council, the political office-bearers, the 
accounting officer and the management staff of the municipality, 
or the board of directors, the accounting officer and management 
staff of the municipal entity, on matters relating to - 


(ii) risk management. 



KEY DEFINITIONS 

For the purpose of this policy, the following words will be defined as follows 


Term 

Explanation 

Risk Management 

Risk Management can be defined as the identification 
and evaluation of actual and potential risk areas as they 
pertain to the municipality as a whole, followed by a 
process of either termination, transfer, acceptance 
(tolerance) or mitigation of each risk. 

Risk 

A risk is something which could: 

• Have an impact by not taking opportunities or not 
capitalising on corporate strengths, 

• Prevent, influence the achievement of the set 
objectives, 

• Cause financial disadvantage, i.e. additional costs 
or loss of money or assets, or 

• Result in damage to or loss of an opportunity to 
enhance the municipality^ reputation. 

Risk Assessment 

The overall process of risk analysis and evaluation. 

Risk Management 
Process 

The systematic application of management policies, 
procedures and practices to the tasks of establishing the 
context, identifying, analyzing, treating, monitoring and 
communicating risks. 

Controls 

These are the existing processes, devices, practice or 
other actions that act to minimize negative risks or 
enhance opportunities. 

Risk Register 

This is a document record of each risk identified. It 
specifies a description of the risk, its causes and it 
impacts; an outline of the existing controls; an 
assessment of the consequences of the risk should it 
occur and the likelihood of the consequence occurring, 
given the controls; a risk rating and an overall priority 
for the risk. 

Impact 

This may be defined as the effect to a business process 
resulting in potential loss or service delivery failure 
should risk arise. 

Likelihood 

This may be defined as the probability that an adverse 
event, which could cause a risk to arise, may occur. 

Types of Risk: 

• Financial/Budget 
Risk 

• Performance 

Risk 

• Political Risk 

• Legal Risk 

• Audit Risk 

• Organisational 
Risk 

Overspend, run out of money, failure to pay, etc. 

Lack of skills and delivery leads to termination. 

Stakeholder unhappiness e.g. Communities. 

Moneys not utilized according to regulations. 

Qualified audit reports reflects very badly on 
managements performance 

Lack of skill, succession, capacity, training 

Branding of the municipality, external image to the 
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• Reputation Risk 

• Information 
technology risk, 
or IT risk, IT- 
related risk 

community. 

is any risk related to information technolosv 

Risk Appetite 

Risk appetite looks at how much risk the municipality is 
willing to accept. There can still be deviations that are 
within a risk appetite. 

Risk Tolerance 

Risk tolerance is the willingness of some person or some 
organization to accept or avoid risk. Risk tolerance looks 
at acceptable/unacceptable deviations from what is 
expected. 


4. Risk Management Principles 

4.1 The principles contained in this policy will be applied at both corporate and 
operational levels within the municipality. 

4.2 The municipality^ Risk Management Policy and Strategy will be applied to 
all operational aspects of the Municipality and will consider external strategic 
risks arising from or related to other government municipality^ and the 
public, as well as wholly internal risks. 

4.3 Our positive approach to risk management means that we will not only look at 
the risk of things going wrong, but also the impact of not taking opportunities 
or not capitalizing on corporate strengths. 

5, General Principles 

5.1 All risk management activities will be aligned to corporate aims, objectives 
and the municipality^ priorities, and aims to protect and enhance the 
reputation and standing of the municipality. 

5.2 Risk analysis will form part of the municipality strategic planning, business 
planning and investment /project appraisal procedures. 

5.3 Risk management will be founded on a risk-based approach to internal control 
which will be embedded into day to day operations of the municipality. 

5.4 Managers and staff at all levels will have the responsibility to identify, 
evaluate and manage or report risks. 

5.5 Our risk management approach will inform and direct our work to gain an 
assurance on the reliability of the municipality systems. 

5.6 We will foster a culture which provides for spreading best practice, lessons 
learned and expertise acquired from our risk management activities across the 
municipality for the benefit of the entire municipality. 
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6, Principles for Managing Specific Risks 

6.1 Risk Management in the municipality should be proactive and reasoned. 
Corporate and operational risks should be identified, objectively assessed, and 
actively managed. 

6.2 The aim is to anticipate, and where possible, avoid risks rather than dealing 
with their consequences. However, for some key areas where the l ik elihood of 
a risk occurring is relatively small, but the impact is high, we may cover that 
risk by developing Contingency Plans. For example, we must develop 
Business Continuity Plans and or Disaster Recovery Plans. This will allow us 
to contain the negative effect of unlikely events which might occur. 

6.3 In determining an appropriate response, the cost of control/risk management, 
and the impact of risks occurring will be balanced with the benefits of 
reducing and or managing risk. This means that we should not necessarily set 
up and monitor controls to counter risks where the cost and effort are 
disproportionate to the impact or expected benefits. 

6.4 We also recognize that some risks can be managed by transferring them to a 
third party, for example by contracting out or by insurance. 

7. RISK MANAGEMENT STRATEGY 

The roles and responsibilities of all stakeholders are clearly defined in the 
approved risk management strategy. 

8 RISK ASSESSMENT METHODOLOGY 

The risk management processes are clearly defined in the risk assessment 
methodology. 

9 Monitoring and Review 

The Risk Management Unit in consultation with the Accounting Office will 
coordinate an annual review of the effectiveness of this policy as well as all 
organizational risks, uninsured and uninsurable risks together with the key 
managers in the municipality. This annual review will take place immediately 
prior to the development of the annual business and integrated development 
plans. 

Internal Audit will monitor key controls identified in the risk management 
system as part of the audit plan developed in conjunction with the Accounting 
Officer, Senior Manager Internal Audit, Risk Management and approved by 
the Audit Committee. 

The municipality will review the risk profile in developing their 
recommendation to the Council regarding the municipality^ risk profile, 
policy, charter, strategy and methodology. 



